CN113453230A - Terminal management method and system and security agent - Google Patents
Terminal management method and system and security agent Download PDFInfo
- Publication number
- CN113453230A CN113453230A CN202010216329.7A CN202010216329A CN113453230A CN 113453230 A CN113453230 A CN 113453230A CN 202010216329 A CN202010216329 A CN 202010216329A CN 113453230 A CN113453230 A CN 113453230A
- Authority
- CN
- China
- Prior art keywords
- sub
- terminal
- security
- key
- security agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 135
- 230000004044 response Effects 0.000 claims description 21
- 238000003860 storage Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 11
- 238000000034 method Methods 0.000 abstract description 27
- 238000004891 communication Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 22
- 230000008569 process Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a terminal management method and system and a security agent, and relates to the field of communication. The terminal management method comprises the following steps: the security agent initiates an authentication request to a security management platform at a network side based on a primary account number and a primary key of the security agent so as to establish connection with the security management platform after the authentication request passes; the method comprises the steps that a security agent receives an access request which is bound with the security agent and sent by a terminal located in the same sub-network, wherein the access request comprises a sub-account number and a sub-secret key of the terminal; the security agent initiates authentication on the terminal according to the sub-account and the sub-key; when the authentication of the terminal is passed, the security agent opens the authority to use the main network by the security agent to the terminal. The method of the embodiment of the invention can improve the safety and reliability of the platform and the terminal as a whole.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a terminal management method and system, and a security agent.
Background
The 5G supports the communication scene of mass machines, supports the billion-level connection capability and opens the world of everything interconnection. mtc (massive Machine Type of Communication) has characteristics of massive terminals and ultra-large connections, and brings the following challenges to security:
1) accessing and reconnecting mass terminals: a large number of terminals generate sudden large-scale access or reconnection due to Service reasons, network jitter or hacker control, and may cause signaling storm or Distributed Denial of Service attack (DDoS);
2) weak terminals are vulnerable: due to the limited resources and capabilities of the weak terminal, it is difficult to adopt a strong Identity authentication mechanism such as a Universal Subscriber Identity Module (USIM), so that the terminal has weak self security protection capability and is easy to become an attacked and controlled object;
3) the tracing and evidence obtaining of massive terminals are difficult: the identification, tracing, evidence obtaining and the like of mass terminal identities become the monitoring difficulty.
Disclosure of Invention
The embodiment of the invention aims to solve the technical problem that: how to improve the security of the platform and the terminal.
According to a first aspect of some embodiments of the present invention, there is provided a terminal management method, including: the security agent initiates an authentication request to a security management platform at a network side based on a primary account number and a primary key of the security agent so as to establish connection with the security management platform after the authentication request passes; the method comprises the steps that a security agent receives an access request which is bound with the security agent and sent by a terminal located in the same sub-network, wherein the access request comprises a sub-account number and a sub-secret key of the terminal; the security agent initiates authentication on the terminal according to the sub-account and the sub-key; when the authentication of the terminal is passed, the security agent opens the authority to use the main network by the security agent to the terminal.
In some embodiments, the subkey comprises a proxy subkey; the step that the security agent initiates authentication on the terminal according to the sub-account and the sub-key comprises the following steps: and the security agent verifies the sub-account and the sub-key in the access request according to the pre-stored sub-account and the pre-stored agent sub-key.
In some embodiments, the subkey comprises a platform subkey; the step that the security agent initiates authentication on the terminal according to the sub-account and the sub-key comprises the following steps: and the security agent sends the sub-account and the sub-key in the access request to the security management platform, so that the security management platform can verify the sub-account and the sub-key in the access request according to the pre-stored sub-account and platform sub-key.
In some embodiments, the terminal management method further includes: after the authority of using the main network through the security proxy is opened to the terminal, the security proxy forwards the data message sent by the terminal to the network side, and forwards the data message sent to the terminal by the network side to the terminal.
In some embodiments, the terminal management method further includes: the security agent acquires a binding request of the terminal and binds the binding request with the terminal; the security agent sends a sub-account application request of the terminal to the security management platform; the method comprises the steps that a security agent receives a sub-account application response issued by a security management platform, wherein the sub-account application response comprises a sub-account number of a terminal and sub-key information, and the sub-key information is a sub-key or an element used for generating the sub-key; and the security agent sends the sub-key information to the terminal for storage.
In some embodiments, the terminal management method further includes: and under the condition that the sub-key information is an element for generating the sub-key, the security agent generates the sub-key according to a preset key generation algorithm and the element.
In some embodiments, the sub-account application response further includes a security policy for indicating an authentication manner for the terminal; in the case where the security policy includes a manner in which authentication is performed by the security agent, the subkey information includes an agent subkey, or an element for generating an agent subkey; in the case where the security policy includes a manner in which authentication is performed by the security management platform, the key information includes a platform subkey, or an element used to generate the platform subkey.
In some embodiments, the terminal management method further includes: the security agent responds to the fact that the time length from the current time to the time of obtaining the sub-key information exceeds the preset time length, and sends a key updating request of the terminal to the security management platform; the security agent receives a key updating response issued by the security management platform, wherein the key updating response comprises a sub-account of the terminal and updated sub-key information; and the security agent sends the updated subkey information to the terminal for storage.
In some embodiments, the agent subkey is stored in a security module of the security agent.
In some embodiments, the security module is a subscriber identity card USIM card or a dedicated security device.
In some embodiments, the security agent is a mobile phone and the terminal is a wearable device; or the security agent is a gateway and the terminal is a sensor; or the primary account is a number segment issued by the network operator to the virtual operator, the sub-account is a code resource distributed by the virtual operator in the number segment, and the security agent is equipment controlled by the virtual operator.
According to a second aspect of some embodiments of the present invention, there is provided a terminal management apparatus, including: the platform connection module is configured to initiate an authentication request to a security management platform on a network side based on a primary account number and a primary key of a security agent so as to establish connection with the security management platform after the authentication request passes; the access request receiving module is configured to receive an access request which is bound with the security agent and sent by a terminal located in the same sub-network, wherein the access request comprises a sub-account and a sub-key of the terminal; the terminal authentication module is configured to initiate authentication of the terminal according to the sub-account and the sub-key; and the network authority control module is configured to open the authority for using the main network through the security proxy to the terminal under the condition that the authentication of the terminal passes.
According to a third aspect of some embodiments of the present invention, there is provided a terminal management apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to perform any of the foregoing terminal management methods based on instructions stored in the memory.
According to a fourth aspect of some embodiments of the present invention, there is provided a terminal management system, including: the safety agent comprises the terminal management device; and a security management platform.
In some embodiments, the terminal management system further comprises: one or more terminals bound to the security agent.
According to a fifth aspect of some embodiments of the present invention, there is provided a computer-readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements any one of the aforementioned terminal management methods.
Some embodiments of the above invention have the following advantages or benefits: the method of an embodiment enables hierarchical management of group users based on security agents. The security agent undertakes partial authorities of the security management platform to the terminal such as security authentication and access control, so that the security of the weak terminal is guaranteed, and the problem of access storm of the network or the security management platform in the environment of the Internet of things such as 5G mMTC is solved. In addition, by the mode, the mass terminals are easier to trace the source through the security agent, so that the problem of positioning is facilitated. Therefore, the method of the embodiment can improve the safety and reliability of the platform and the terminal as a whole.
Other features of the present invention and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 illustrates an application scenario diagram of a terminal management method according to some embodiments of the present invention.
Fig. 2 illustrates a flow diagram of a terminal management method according to some embodiments of the invention.
Fig. 3 illustrates a flow diagram of a key distribution method according to some embodiments of the invention.
Fig. 4 illustrates a schematic structural diagram of a terminal management apparatus according to some embodiments of the present invention.
Fig. 5 illustrates a schematic diagram of a terminal management system according to some embodiments of the invention.
Fig. 6 is a schematic structural diagram of a terminal management device according to other embodiments of the present invention.
Fig. 7 shows a schematic diagram of a terminal management apparatus according to further embodiments of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 illustrates an application scenario diagram of a terminal management method according to some embodiments of the present invention. As shown in fig. 1, the security management platform 11 is located on the network side, the security agent 12 is connected to the security management platform 12 through a bearer network, one or more terminals 13 are bound under the security agent 12, and the terminal 13 and the security agent 12 are located in the same sub-network. The sub-network is for example a local area network or a wide area network, and the terminal 13 accesses the sub-network by means of wired, wireless or near field communication technology and communicates with the security agent 12. The short range communication technology includes, for example, Wifi, ZigBee, bluetooth, etc., but is not limited thereto.
Fig. 2 illustrates a flow diagram of a terminal management method according to some embodiments of the invention. As shown in fig. 2, the terminal management method of this embodiment includes steps S202 to S208.
In step S202, the security agent initiates an authentication request to the security management platform on the network side based on the primary account number and the primary key of the security agent, so as to establish a connection with the security management platform after the authentication request passes. The connection is a secure connection. The primary account number and the primary key are credentials used by the security proxy for identity authentication.
A security agent is a device whose security performance is superior to that of a managed terminal.
In step S204, the security proxy receives an access request sent by a terminal located in the same sub-network and bound to the security proxy, where the access request includes a sub-account and a sub-key of the terminal.
In step S206, the security agent initiates authentication of the terminal according to the sub-account and the sub-key. The authentication of the terminal can be primary authentication or secondary authentication, that is, the terminal can be authenticated by the security agent, and the terminal can also be authenticated by both the security agent and the security management platform. The specific authentication method to be selected may be determined by the security policy stored in the security agent.
In some embodiments, the subkeys comprise agent subkeys when the security agent authenticates. And the security agent verifies the sub-account and the sub-key in the access request according to the pre-stored sub-account and the pre-stored agent sub-key. The security agent is issued by the security management platform when registering for the terminal according to the pre-stored sub-account and the agent sub-key. In some embodiments, the sub-account number and the agent sub-key are stored in a security module of the security agent, and the security module may be, for example, a module with higher security level, such as a USIM card, a dedicated security device, and the like, but is not limited to these two embodiments. Therefore, the security of the verification information storage can be improved. This authentication approach may entail some or all of the authentication process to relieve the platform of stress.
In some embodiments, upon authentication by the security agent, authentication is also performed using the security management platform. At this time, the subkey includes a platform subkey. And the security agent sends the sub-account and the sub-key in the access request to the security management platform, so that the security management platform can verify the sub-account and the sub-key in the access request according to the pre-stored sub-account and platform sub-key. The authentication mode can improve the reliability of authentication.
In step S208, when the authentication of the terminal is passed, the security agent opens the authority to use the main network to the terminal through the security agent. The main network refers to a network of servers that can access the terminal applications, for example, a public network.
After the authority of using the main network through the security proxy is opened to the terminal, the security proxy forwards the data message sent by the terminal to the network side, and forwards the data message sent to the terminal by the network side to the terminal. Because the performance of the security agent is stronger, the security agent can take over the receiving and sending of the terminal through the processing, thereby improving the protection level of the terminal and reducing the possibility that the terminal with weaker performance is attacked and controlled.
The method of the above embodiment implements hierarchical management of group users based on security agents. The security agent undertakes partial authorities of the security management platform to the terminal such as security authentication and access control, so that the security of the weak terminal is guaranteed, and the problem of access storm of the network or the security management platform in the environment of the Internet of things such as 5G mMTC is solved. In addition, by the mode, the mass terminals are easier to trace the source through the security agent, so that the problem of positioning is facilitated. Therefore, the method of the embodiment can improve the safety and reliability of the platform and the terminal as a whole.
In some embodiments, the security agent may also assume part of the rights for registration and key distribution of the terminal. An embodiment of the key distribution method of the present invention is described below with reference to fig. 3.
Fig. 3 illustrates a flow diagram of a key distribution method according to some embodiments of the invention. As shown in fig. 3, the key distribution method of this embodiment includes steps S302 to S308.
In step S302, the security agent obtains a binding request of the terminal and binds with the terminal. For example, the terminal may bind the security agent via a code scan, an authentication code mechanism, a push-to-talk, etc.
In step S304, the security agent sends a sub-account application request of the terminal to the security management platform. The sub-account application request includes, for example, a user name applied by the terminal, basic information of the security agent, and the like. The basic information may be, for example, identification, address, model number, and the like.
After receiving the sub-account application request, the security management platform creates a corresponding account, for example, establishes an entry with a corresponding user name in a user database, and stores information such as a subsequently allocated sub-key into the same entry or a corresponding entry.
In step S306, the security agent receives a sub-account application response issued by the security management platform, where the sub-account application response includes a sub-account number of the terminal and sub-key information, and the sub-key information is a sub-key or an element used to generate the sub-key.
In some embodiments, the sub-account application response may further include a security policy indicating an authentication manner for the terminal. In the case where the security policy includes a manner in which authentication is performed by the security agent, the subkey information includes an agent subkey, or an element for generating an agent subkey; in the case where the security policy includes a manner in which authentication is performed by the security management platform, the key information includes a platform subkey, or an element used to generate the platform subkey.
In some embodiments, the security agent has the right to generate a key. And under the condition that the sub-key information is an element for generating the sub-key, the security agent generates the sub-key according to a preset key generation algorithm and the element. Therefore, the risk of secret key leakage is further reduced, and the safety is improved.
In some embodiments, the security agent obtains the subkey using a Key Derivation Function (KDF), e.g., using a pseudorandom function to compute the subkey from a combined result of the master key, the subaccount number, and the random number. If the security policy adopts a secondary authentication mode, the sub-key can be calculated once by using the KDF, and the sub-key is divided into two parts which are respectively used as an agent sub-key and a platform sub-key.
In step S308, the security agent transmits the subkey information to the terminal for storage.
By the method of the embodiment, the automatic establishing process of the terminal sub-account can be realized through the security agent, the flexibility of user management is improved, and the established account is controllable.
In some embodiments, the security agent may also periodically update the sub-key. The security agent responds to the fact that the time length from the current time to the time of obtaining the sub-key information exceeds the preset time length, and sends a key updating request of the terminal to the security management platform; the security agent receives a key updating response issued by the security management platform, wherein the key updating response comprises a sub-account of the terminal and updated sub-key information; and the security agent sends the updated subkey information to the terminal for storage. Thereby further improving safety.
Embodiments of the present invention may be applied to a variety of scenarios. Three scenarios are exemplarily described below.
In a scenario one, the security agent is a mobile phone, and the terminal is a wearable device.
With the development of 5G, personal wearable devices and even implanted smart chips for personal health monitoring, VR/AR and other purposes will be further developed. Devices such as smart glasses, smart headphones, smart bracelets or rings, smart apparel, and the like may serve an individual. However, most of these devices are resource-limited, have weak capabilities, and have high requirements on security. By adopting the terminal management method of the embodiment of the invention, the group users from a plurality of terminals can be managed in a grading way, thereby realizing the safety management and the access of the equipment.
In some embodiments, the mobile phone is used as a security agent and is responsible for account management of the wearable device, and the mobile phone number is used as a main account, so that hierarchical management and control of the account are implemented. The main key, account management and key management processes are realized in a USIM card of the mobile phone; the wearable device is communicated with the mobile phone through a near field communication technology, and is accessed to a network through the mobile phone to realize communication with the application platform.
Aiming at the conditions that wearable equipment is limited in resources and weak in capacity, the equipment adopts an integrated design, a pluggable USIM card is not required to be configured, and the requirement on the capacity of the terminal is reduced through light-weight processing of a secret key and an algorithm.
In some embodiments, the platform subkey and the agent subkey may be subjected to a light weighting process. For example, a sub-key is generated according to a main key, a sub-account, a random number or a serial number of the mobile phone, and one half of the sub-key is intercepted as a platform sub-key and the other half is intercepted as an agent sub-key. The agent sub-Key is used for Authentication between the terminal and the security agent, and the terminal performs bidirectional Authentication with the security agent by adopting an Authentication and Key Agreement (AKA) Authentication process of a third-generation mobile communication network, for example; the platform sub-key is used for authentication between the terminal and the security management platform, and the terminal can perform bidirectional authentication with the platform through a security agent or an AKA authentication process.
The master key of the mobile phone is stored in the USIM card, and dynamic factors such as random numbers are introduced in the process of generating the subkeys, and the subkeys can be updated regularly, so that the keys can be prevented from being leaked. Meanwhile, the security of the lightweight secret key is guaranteed through mechanisms of two-stage authentication, control of the use range of the sub secret key, regular updating and the like.
In scenario two, the security agent is a gateway and the terminal is a sensor.
For the acquisition of meteorological and environmental data such as air temperature, hydrology and the like, a large number of sensors need to be distributed in a certain range, particularly in key monitoring areas. Such sensors are computationally weak but numerous. Moreover, the simultaneous and large-scale access of these sensors to the network may impact the authentication platform.
In some embodiments, the communication gateway can be used as a security agent to realize hierarchical account management and group authentication, thereby reducing the pressure on the authentication center. The master key and account management, key management processes are implemented in the USIM card of the security agent. To reduce the stress on the platform, the security policy may be set to implement only proxy authentication, for example.
In the third scenario, the primary account is a number segment issued by the network operator to the virtual operator, the sub-account is a code resource allocated by the virtual operator in the number segment, and the security agent is a device controlled by the virtual operator.
The network operator can send part of the code number and the network resource to a third party in batch to realize the virtual operation. For wholesale code number resources, a hierarchical management and control strategy can be adopted. The network operator only implements the functions of security policy authorization management, sub-account opening management, user access control and the like through the security management platform, and the security agent controlled by the virtual operator manages the security agent.
An embodiment of a terminal management apparatus according to some embodiments of the present invention is described below with reference to fig. 4.
Fig. 4 illustrates a schematic structural diagram of a terminal management apparatus according to some embodiments of the present invention. As shown in fig. 4, the terminal management apparatus 400 of this embodiment includes: a platform connection module 4100 configured to initiate an authentication request to a security management platform on a network side based on a primary account number and a primary key of the security agent, so as to establish a connection with the security management platform after the authentication request passes; an access request receiving module 4200, configured to receive an access request sent by a terminal located in the same sub-network and bound to a security agent, where the access request includes a sub-account and a sub-key of the terminal; a terminal authentication module 4300 configured to initiate authentication of the terminal according to the sub-account and the sub-key; the network authorization control module 4400 is configured to, when the authentication of the terminal passes, open the authorization of using the main network through the security proxy to the terminal.
In some embodiments, the subkey comprises a proxy subkey; the terminal authentication module 4300 is further configured to verify the sub-account number and the sub-key in the access request by the security proxy according to the pre-stored sub-account number and the proxy sub-key.
In some embodiments, the subkey comprises a platform subkey; the terminal authentication module 4300 is further configured to send, by the security agent, the sub-account and the sub-key in the access request to the security management platform, so that the security management platform verifies the sub-account and the sub-key in the access request according to the pre-stored sub-account and sub-key of the platform.
In some embodiments, the terminal management apparatus 400 further includes: the message forwarding module 4500 is configured to forward the data message sent by the terminal to the network side after the authority of using the main network through the security proxy is opened to the terminal, and forward the data message sent by the network side to the terminal.
In some embodiments, the terminal management apparatus 400 further includes: an account application module 4600, configured to obtain a binding request of a terminal and bind with the terminal; sending a sub-account application request of the terminal to a security management platform; receiving a sub-account application response issued by a security management platform, wherein the sub-account application response comprises a sub-account number of a terminal and sub-key information, and the sub-key information is a sub-key or an element for generating the sub-key; and sending the sub-key information to the terminal for storage.
In some embodiments, the terminal management apparatus 400 further includes: a key generation module 4700 configured to, in a case where the subkey information is an element for generating a subkey, the security agent generates the subkey according to a preset key generation algorithm and the element.
In some embodiments, the sub-account application response further includes a security policy for indicating an authentication manner for the terminal; in the case where the security policy includes a manner in which authentication is performed by the security agent, the subkey information includes an agent subkey, or an element for generating an agent subkey; in the case where the security policy includes a manner in which authentication is performed by the security management platform, the key information includes a platform subkey, or an element used to generate the platform subkey.
In some embodiments, the terminal management apparatus 400 further includes: a key update module 4800 configured to send a key update request of the terminal to the security management platform in response to a time length from a current time to a time when the sub key information is acquired exceeding a preset time length; receiving a key updating response issued by the security management platform, wherein the key updating response comprises a sub-account of the terminal and updated sub-key information; and sending the updated sub-key information to the terminal for storage.
In some embodiments, the terminal management device 400 is located in a security module.
In some embodiments, the agent subkey is stored in the security module.
In some embodiments, the security module is a subscriber identity card USIM card or a dedicated security device.
In some embodiments, the security agent is a mobile phone and the terminal is a wearable device; or the security agent is a gateway and the terminal is a sensor; or the primary account is a number segment issued by the network operator to the virtual operator, the sub-account is a code resource distributed by the virtual operator in the number segment, and the security agent is equipment controlled by the virtual operator.
An embodiment of the terminal management system of the present invention is described below with reference to fig. 5.
Fig. 5 illustrates a schematic diagram of a terminal management system according to some embodiments of the invention. As shown in fig. 5, the terminal management system 50 of this embodiment includes: a security agent 510 including any one of the terminal management apparatuses 400 described above; and a security management platform 520.
In some embodiments, the terminal management system 50 further includes: one or more terminals 530 bound to the security agent 520.
Fig. 6 is a schematic structural diagram of a terminal management device according to other embodiments of the present invention. As shown in fig. 6, the terminal management apparatus 60 of this embodiment includes: a memory 610 and a processor 620 coupled to the memory 610, wherein the processor 620 is configured to execute the terminal management method in any one of the foregoing embodiments based on instructions stored in the memory 610.
Fig. 7 shows a schematic diagram of a terminal management apparatus according to further embodiments of the present invention. As shown in fig. 7, the terminal management apparatus 70 of this embodiment includes: the memory 710 and the processor 720 may further include an input/output interface 730, a network interface 740, a storage interface 750, and the like. These interfaces 730, 740, 750, as well as the memory 710 and the processor 720, may be connected, for example, by a bus 760. The input/output interface 730 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 740 provides a connection interface for various networking devices. The storage interface 750 provides a connection interface for external storage devices such as an SD card and a usb disk.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, wherein the computer program is configured to implement any one of the foregoing terminal management methods when executed by a processor.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (16)
1. A terminal management method includes:
the security agent initiates an authentication request to a security management platform at a network side based on a primary account number and a primary key of the security agent so as to establish connection with the security management platform after the authentication request passes;
the security agent receives an access request which is bound with the security agent and sent by a terminal located in the same sub-network, wherein the access request comprises a sub-account and a sub-key of the terminal;
the security agent initiates authentication on the terminal according to the sub-account and the sub-key;
and under the condition that the authentication of the terminal passes, the security proxy opens the authority of using the main network through the security proxy to the terminal.
2. A terminal management method according to claim 1, wherein the subkey comprises an agent subkey;
the step that the security agent initiates authentication on the terminal according to the sub-account and the sub-key comprises the following steps:
and the security agent verifies the sub-account and the sub-key in the access request according to the pre-stored sub-account and the pre-stored agent sub-key.
3. A terminal management method according to claim 2, wherein the subkey comprises a platform subkey;
the step that the security agent initiates authentication on the terminal according to the sub-account and the sub-key comprises the following steps:
and the security agent sends the sub-account and the sub-key in the access request to the security management platform, so that the security management platform can verify the sub-account and the sub-key in the access request according to the pre-stored sub-account and sub-key of the platform.
4. The terminal management method according to claim 1, further comprising:
after the authority of using the main network through the security proxy is opened to the terminal, the security proxy forwards the data message sent by the terminal to the network side and forwards the data message sent by the network side to the terminal.
5. The terminal management method according to any one of claims 1 to 4, further comprising:
the security agent acquires a binding request of a terminal and binds with the terminal;
the security agent sends a sub-account application request of the terminal to the security management platform;
the security agent receives a sub-account application response issued by the security management platform, wherein the sub-account application response comprises a sub-account number of the terminal and sub-key information, and the sub-key information is a sub-key or an element used for generating the sub-key;
and the security agent sends the sub-key information to the terminal for storage.
6. The terminal management method according to claim 5, further comprising:
and under the condition that the sub-key information is an element for generating a sub-key, the security agent generates the sub-key according to a preset key generation algorithm and the element.
7. The terminal management method according to claim 5, wherein the sub-account application response further includes a security policy indicating an authentication manner for the terminal;
in the case where the security policy includes a manner in which authentication is performed by a security agent, the subkey information includes an agent subkey, or an element used to generate an agent subkey;
in the case where the security policy includes a manner in which authentication is performed by a security management platform, the key information includes a platform subkey or an element used to generate the platform subkey.
8. The terminal management method according to claim 5, further comprising:
the security agent responds to the fact that the time length from the current moment to the moment of obtaining the sub-key information exceeds the preset time length, and sends a key updating request of the terminal to the security management platform;
the security agent receives a key updating response issued by the security management platform, wherein the key updating response comprises the sub-account of the terminal and updated sub-key information;
and the security agent sends the updated sub-key information to the terminal for storage.
9. A terminal management method according to claim 2, wherein the master key and agent subkeys are stored in a security module of the security agent.
10. The terminal management method according to claim 9, wherein the security module is a subscriber identity card USIM card or a dedicated security device.
11. The terminal management method according to claim 1,
the security agent is a mobile phone, and the terminal is wearable equipment; or
The security agent is a gateway, and the terminal is a sensor; or
The primary account is a number segment issued by a network operator to a virtual operator, the secondary account is a code resource distributed by the virtual operator in the number segment, and the security agent is equipment controlled by the virtual operator.
12. A terminal management apparatus comprising:
the platform connection module is configured to initiate an authentication request to a security management platform on a network side based on the primary account number and the primary key of the security agent so as to establish connection with the security management platform after the authentication request passes;
an access request receiving module configured to receive an access request sent by a terminal located in the same sub-network and bound to the security agent, wherein the access request includes a sub-account and a sub-key of the terminal;
the terminal authentication module is configured to initiate authentication of the terminal according to the sub-account and the sub-key;
and the network authority control module is configured to open the authority for using the main network through the security proxy to the terminal under the condition that the terminal passes the authentication.
13. A terminal management apparatus comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the terminal management method of any of claims 1-11 based on instructions stored in the memory.
14. A terminal management system, comprising:
a security agent comprising the terminal management device of claim 12 or 13; and
and (4) a safety management platform.
15. The terminal management system of claim 14, further comprising:
one or more terminals bound with the security agent.
16. A computer-readable storage medium on which a computer program is stored, which program, when executed by a processor, implements the terminal management method of any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010216329.7A CN113453230B (en) | 2020-03-25 | 2020-03-25 | Terminal management method and system and security agent |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010216329.7A CN113453230B (en) | 2020-03-25 | 2020-03-25 | Terminal management method and system and security agent |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113453230A true CN113453230A (en) | 2021-09-28 |
| CN113453230B CN113453230B (en) | 2023-11-14 |
Family
ID=77806659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010216329.7A Active CN113453230B (en) | 2020-03-25 | 2020-03-25 | Terminal management method and system and security agent |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113453230B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340708A (en) * | 2007-07-02 | 2009-01-07 | 华为技术有限公司 | Method, system and apparatus for network switching |
| KR20100112724A (en) * | 2009-04-10 | 2010-10-20 | 닉스테크 주식회사 | Security mobile storage apparatus and the control method |
| CN108780530A (en) * | 2016-03-29 | 2018-11-09 | 李昕光 | Smart card service system and method |
| CN109698746A (en) * | 2019-01-21 | 2019-04-30 | 北京邮电大学 | Negotiate the method and system of the sub-key of generation bound device based on master key |
| CN110247881A (en) * | 2018-03-09 | 2019-09-17 | 山东量子科学技术研究院有限公司 | Identity identifying method and system based on wearable device |
| CN110572825A (en) * | 2019-09-04 | 2019-12-13 | 广东轻工职业技术学院 | Wearable equipment authentication device and authentication encryption method |
-
2020
- 2020-03-25 CN CN202010216329.7A patent/CN113453230B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340708A (en) * | 2007-07-02 | 2009-01-07 | 华为技术有限公司 | Method, system and apparatus for network switching |
| KR20100112724A (en) * | 2009-04-10 | 2010-10-20 | 닉스테크 주식회사 | Security mobile storage apparatus and the control method |
| CN108780530A (en) * | 2016-03-29 | 2018-11-09 | 李昕光 | Smart card service system and method |
| CN110247881A (en) * | 2018-03-09 | 2019-09-17 | 山东量子科学技术研究院有限公司 | Identity identifying method and system based on wearable device |
| CN109698746A (en) * | 2019-01-21 | 2019-04-30 | 北京邮电大学 | Negotiate the method and system of the sub-key of generation bound device based on master key |
| CN110572825A (en) * | 2019-09-04 | 2019-12-13 | 广东轻工职业技术学院 | Wearable equipment authentication device and authentication encryption method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113453230B (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109729523B (en) | Terminal networking authentication method and device | |
| US10959092B2 (en) | Method and system for pairing wireless mobile device with IoT device | |
| KR101485230B1 (en) | Secure multi-uim authentication and key exchange | |
| EP2852118B1 (en) | Method for an enhanced authentication and/or an enhanced identification of a secure element located in a communication device, especially a user equipment | |
| CN105450406A (en) | Data processing method and device | |
| CN111865872B (en) | Method and equipment for realizing terminal security policy in network slice | |
| US11057195B2 (en) | Method and system for providing security for the first time a mobile device makes contact with a device | |
| CN103415008A (en) | Encryption communication method and encryption communication system | |
| CN112533202B (en) | Identity authentication method and device | |
| KR20190004499A (en) | Apparatus and methods for esim device and server to negociate digital certificates | |
| CN111783068A (en) | Device authentication method, system, electronic device and storage medium | |
| CN112311543B (en) | GBA key generation method, terminal and NAF network element | |
| Khan et al. | Improving air interface user privacy in mobile telephony | |
| CN105100268A (en) | Security control method and system of Internet-of-things device as well as application server | |
| CN108028755B (en) | Method and device for authentication | |
| CN114499990A (en) | Vehicle control method, device, equipment and storage medium | |
| CN105162592B (en) | A kind of method and system of certification wearable device | |
| CN116235467A (en) | Correlation control method and correlation device | |
| CN102202291B (en) | Card-free terminal, service access method and system thereof, terminal with card and bootstrapping server function (BSF) | |
| CN113453230B (en) | Terminal management method and system and security agent | |
| CN112887979A (en) | Network access method and related equipment | |
| CN106535179B (en) | WDS authentication method and system | |
| CN105828330A (en) | Access method and access device | |
| CN113079506A (en) | Network security authentication method, device and equipment | |
| CN108702615B (en) | Protected interface and process for establishing a secure communication link |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |